codecov-action icon indicating copy to clipboard operation
codecov-action copied to clipboard
verified publisher icon codecov

Codecov token not found multiple tries

Open Kohulan opened this issue 1 year ago • 14 comments

Hi All,

We have set CODECOV_TOKEN under repository secret. and for some reason whatever we are trying the upload is not working. yml file: https://github.com/Steinbeck-Lab/cheminformatics-microservice/blob/main/.github/workflows/test.yml PR: https://github.com/Steinbeck-Lab/cheminformatics-microservice/pull/499 workflow run: https://github.com/Steinbeck-Lab/cheminformatics-microservice/actions/runs/9303645699/job/25608525393 Is it a problem from outside or some bug from codecov?

I also tested this #1425 but not working

Kind regards, Kohulan

Kohulan avatar May 30 '24 14:05 Kohulan

Same issue here (nothing changed in the repo or settings, failures started yesterday): https://github.com/open-atmos/PySDM/actions/runs/9304455645/job/25625735958?pr=1335 log:


==> Running version latest
gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: /home/runner/.gnupg/trustdb.gpg: trustdb created
gpg: key 806BB28AED779869: public key "Codecov Uploader (Codecov Uploader Verification Key) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1

gpg: Signature made Wed May  8 17:49:27 2024 UTC
gpg:                using RSA key 27034E7FDB850E0BBC2C62FF806BB28AED779869
gpg: Good signature from "Codecov Uploader (Codecov Uploader Verification Key) <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2703 4E7F DB85 0E0B BC2C  62FF 806B B28A ED77 9869

==> Running version v0.6.0
==> Running git config --global --add safe.directory /home/runner/work/PySDM/PySDM
/usr/bin/git config --global --add safe.directory /home/runner/work/PySDM/PySDM
==> Running command '/home/runner/work/_actions/codecov/codecov-action/v4.1.0/dist/codecov -v create-commit'
/home/runner/work/_actions/codecov/codecov-action/v4.1.0/dist/codecov -v create-commit --git-service github -C cc1e4d4cdda4dd45d16d5a4c2b2e02252a578fd4 -Z
==> Uploader SHASUM verified (209d13481be406d6a2aa9519fa61c84883e3213308b5628c43a5e94cae75b8e6  codecov)
info - 2024-05-30 22:03:17,699 -- ci service found: github-actions
debug - 2024-05-30 22:03:17,702 -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-05-30 22:03:17,705 -- versioning system found: <class 'codecov_cli.helpers.versioning_systems.GitVersioningSystem'>
debug - 2024-05-30 22:03:17,708 -- Loading config from /home/runner/work/PySDM/PySDM/.codecov.yml
debug - 2024-05-30 22:03:17,710 -- Starting create commit process --- {"commit_sha": "cc1e4d4cdda4dd45d16d5a4c2b2e02252a578fd4", "parent_sha": null, "pr": "1335", "branch": "dependabot/pip/pypartmc-1.3.1", "slug": "open-atmos/PySDM", "token": null, "service": "github", "enterprise_url": null}
Error: Codecov token not found. Please provide Codecov token with -t flag.
Error: Codecov: Failed to properly create commit: The process '/home/runner/work/_actions/codecov/codecov-action/v4.1.0/dist/codecov' failed with exit code 1

slayoo avatar May 31 '24 11:05 slayoo

I think I have the same problem. Repo secret is set. We use reusable workflow from https://github.com/OpenAstronomy/github-actions-workflows/blob/7d299a4ef6a655f79dabe1c147c3b095ef69cacd/.github/workflows/tox.yml#L253-L260

pllim avatar Jun 04 '24 16:06 pllim

In our case, the problem was that the Dependabot secret was not set (https://github.com/codecov/codecov-action/?tab=readme-ov-file#dependabot)

slayoo avatar Jun 05 '24 11:06 slayoo

@slayoo We did set everything nothing was working. I am not sure what went wrong here

Kohulan avatar Jun 05 '24 12:06 Kohulan

Same here, I added token to Dependabot tried with token: ${{ secrets.CODECOV_TOKEN }} and env but still get same error:

Error: Codecov token not found. Please provide Codecov token with -t flag.

nbari avatar Jun 09 '24 18:06 nbari

Hi @thomasrockhu-codecov ,

I thought of asking you directly since this is an issue seen predominantly on most of our repositories. Could you kindly let us know what could be the problem?

Kohulan avatar Jun 11 '24 11:06 Kohulan

PR created by dependabot is failing for the same reason. 🥲 https://github.com/codecov/codecov-action/issues/1463#issuecomment-2141861916

skaengus2012 avatar Jun 11 '24 14:06 skaengus2012

@Kohulan and @skaengus2012

Have you added the secret in the Dependabot secrets section? That is different from a normal report secret, Dependabot does not have access to regular secrets.

drazisil-codecov avatar Jun 11 '24 17:06 drazisil-codecov

@drazisil-codecov

Yes, It is already in place. image

Kohulan avatar Jun 11 '24 17:06 Kohulan

@drazisil-codecov

I've checked that my repo only exists in Actions.

But v3, and v4 until recently, it worked well. What changes have been made recently?

skaengus2012 avatar Jun 12 '24 01:06 skaengus2012

Same problem!

marcosschroh avatar Jun 12 '24 09:06 marcosschroh

@drazisil-codecov

I've �checked that my repo only exists in Actions.

But v3, and v4 until recently, it worked well. What changes have been made recently?

It's likely related to 4.4.1, as it was released 3 weeks ago and this issue was created 2 weeks ago. Furthermore, there's #1447 which is this issue specifically for said version. Going to try pinning 4.4.0 and will edit the response afterwards to let you know whether it worked or not.

Edit: Downgrade didn't work. Will try suggestion in the linked issue. Would recommend moderators/maintainers to close this issue so discussions about this issue are kept in a single place though.

gsilvapt avatar Jun 12 '24 14:06 gsilvapt

Same problem, But same yml can run when code push, and I ask for github, get the answer like:

Thank you for reaching out to GitHub Support!
 
The security feature mentioned in the Copilot response applies only to pull requests opened by forks. For these PRs, secrets are not accessible and GITHUB_TOKEN is limited to read-only for workflows triggered by the pull_request event.
 
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#accessing-secrets
Workflows triggered from a forked repository using the pull_request event have read-only permissions and have no access to secrets.

 
The [working example](https://github.com/codecov/codecov-action/actions/runs/10242748255) you shared was triggered from a non-fork PR - so the secret was accessible, unlike in this [example](https://github.com/alibaba/nacos/actions/runs/10243765296) where the PR was opened by a fork.
 
There isn't any way to disable this security measure for public repositories. Shifting to the [pull_request_target](https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#pull_request_target) triggering event as mentioned would be a way to have secrets be accessible - but as you've noted, this event executes from the base of the PR, and also comes with possible risks of the added access to fork PRs.
 
Please let me know if you have any additional questions or concerns!
Best,

Arthur
GitHub Support

I think some changes in github action workflow during these weeks so that pull request from others might can't get secret. How to solve it?

KomachiSion avatar Aug 07 '24 05:08 KomachiSion

I added tokens to dependabot, and from then on my repo works fine. https://github.com/codecov/codecov-action/issues/1463#issuecomment-2161872918

skaengus2012 avatar Aug 08 '24 01:08 skaengus2012

In our case, the problem was that the Dependabot secret was not set (https://github.com/codecov/codecov-action/?tab=readme-ov-file#dependabot)

This works fine to me, thanks folks! 💯

eredotpkfr avatar Nov 04 '24 11:11 eredotpkfr